Replace test certificate chain that uses RSA+SHA-1 #121450
Conversation
There was a problem hiding this comment.
Pull Request Overview
This pull request updates the Microsoft.com SSL certificate test data and associated test cases to use a newer certificate version. The changes reflect an update from the Baltimore CyberTrust Root certificate chain to the DigiCert Global Root G2 certificate chain, with an updated certificate valid from October 2025 to March 2026.
- Updates the Microsoft.com SSL certificate and its issuer/root certificate chain data
- Adjusts verification times in tests to fall within the new certificate's validity period
- Updates hostname test cases to reflect the Subject Alternative Names (SANs) in the new certificate
- Simplifies platform-specific conditional logic for chain building tests
Reviewed Changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| MatchesHostnameTests.cs | Updates hostname test cases to match SANs in the new certificate, including new domains like copilot.ai and yarp.dot.net |
| AuthorityKeyIdentifierTests.cs | Updates expected hex values for authority key identifiers to match the new DigiCert-based certificate chain |
| CollectionTests.cs | Updates verification time to December 2025 to fall within new certificate validity period |
| ChainTests.cs | Updates verification times, simplifies platform conditionals, improves expiration test structure with collection expressions, and adds better failure diagnostics |
| TestData.cs | Replaces entire certificate chain data (leaf, issuer, and root certificates) from Baltimore CyberTrust to DigiCert Global Root G2 |
src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
Outdated
Show resolved
Hide resolved
....Security.Cryptography/tests/X509Certificates/ExtensionsTests/AuthorityKeyIdentifierTests.cs
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography/tests/X509Certificates/MatchesHostnameTests.cs
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography/tests/X509Certificates/ChainTests.cs
Show resolved
Hide resolved
| holder.Chain.ChainElements[2].ChainElementStatus.Aggregate( | ||
| X509ChainStatusFlags.NoError, | ||
| (a, status) => a | status.Status)); | ||
| if (!PlatformDetection.IsWindows || PlatformDetection.IsWindows10Version22000OrGreater) |
There was a problem hiding this comment.
@bartonjs this one is interesting on the Windows 10 SP0 leg this test fails because the Application Policy violation NotValidForUsage does not get propagated to the root in the chain. I can't reproduce locally on Windows 11.
I don't know why it changed from one root to another.
Open to ideas on how we should handle this better for this test.
vcsjones
dismissed
bartonjs’s stale review
Dismissing because it was approved before some test failures were known and need to re-evaluate the solution.
2 participants
The certificate chain we were using in unit tests has a root certificate that is signed with RSA SHA-1. This signature algorithm is disabled on some linux distributions, and it is starting to get picked up in our CI.
Let's replace the chain with one that does not use RSA+SHA-1 signatures.
On CentOS Stream 10:
Contributes to #120527